GPS tracking company Hapn has exposed the names of thousands of its customers due to a website error, TechCrunch has learned.
A security researcher alerted TechCrunch in late November that customer names and affiliations – such as the name of their workplace – were being distributed from one of Hapn's servers, which TechCrunch had seen.
Hapn, formerly known as Spytec, is a tracking company that allows users to remotely monitor the real-time location of internet-enabled tracking devices that can be attached to vehicles or other devices. The company also sells GPS trackers under its Spytec brand to consumers who rely on the Hapn app for tracking. Spytec advertises its GPS devices for locating valuable possessions and “dear people”. According to its website, Hapn claims to track more than 460,000 devices and counts customers in the Fortune 500.
The flaw allowed anyone to log in with a Hapn account to view the exposed data using the developer tools in their web browser.
The exposed data included information on more than 8,600 GPS trackers, including the IMEI numbers for the SIM cards in each tracker, which uniquely identify each device. The data exposed did not include location data, but thousands of records included the names and business affiliations of customers who own or are tracked by the GPS trackers.
Hapn responded to several emails from TechCrunch. Multiple emails to Hapn CEO Joe Besdin were not returned before publication. A message sent to an email address listed in the company's privacy policy was returned with a bounce error stating that the email address does not exist. The company does not have a website or vulnerability reporting form.
In an email to TechCrunch after publication, Hapn CEO Joe Besdin said the company had no knowledge of the compromise before publication and that the data was limited to three customer accounts, each with a large number of trackers. Besdin said the records disclosed concern data from April 2024.
Besdin said the security issue had been resolved.
When we contacted people whose names and affiliations were listed in the disclosed data, several people confirmed their names and jobs but declined to discuss using the GPS tracker. According to TechCrunch, a company listed as a corporate customer on Hapn's website had multiple trackers listed in the disclosed data.
The security researcher said he began investigating the GPS tracker after discovering that customers had left online reviews for the devices recommending the tracker for monitoring a person's spouse or partner. (TechCrunch has seen dozens of reviews on Spytec's online stores from customers who claim to have used the GPS devices to track their spouses.)
The story continues
The list of exposed customer records also showed thousands of trackers with associated names but no other apparent affiliation. It is not known whether the people were aware that they were being followed.
Updated with comment after Hapn's publication.
Comments are closed.